Privacy Policy

Predictorix AI

Last updated: December 2025Version: 1.0

1. Introduction

Welcome to Predictorix AI. In this Privacy Policy we explain how we collect, use, share, and protect your personal information when you use our Business Intelligence and predictive analytics platform for digital marketing.

This policy applies to all users of predictorix.ai and its associated services, regardless of geographic location. We are committed to complying with applicable data protection regulations, including:

General Data Protection Regulation (GDPR) of the European Union
California Consumer Privacy Act (CCPA/CPRA)
Brazil's General Data Protection Law (LGPD)
Federal Law on Protection of Personal Data of Mexico
Local regulations of Argentina, Colombia, Chile, and Peru

By using our services, you accept the practices described in this Privacy Policy. If you disagree with any part of this policy, we recommend not using our services.

1.1 Contact Information

Field	Information
Trade name	Predictorix AI
Website	predictorix.ai
Privacy email	soporte@predictorix.ai
Operating languages	Spanish and English

2. Service Description

Predictorix AI is a SaaS (Software as a Service) platform that centralizes marketing, sales, and financial data from multiple sources to provide ROI analysis, unified reports, and predictive intelligence.

2.1 Main Features

Automatic synchronization of advertising campaign metrics
Performance and ROI analysis dashboards
Manual sales and product management
Budget and operational cost control
Multi-platform consolidated reports
Smart performance alerts
Sales and ROI predictions using artificial intelligence
OKR system (Objectives and Key Results) with automated tracking

3. Data We Collect

3.1 Registration and Account Data

When you create an account on Predictorix AI, we collect the following information:

Full name
Email address
Company name
Country and timezone
Preferred currency
Password (stored with secure bcrypt hash, never in plain text)

3.2 Third-Party Integration Data

Meta Ads (Facebook/Instagram)

We obtain data through Meta Platform APIs. The user authorizes access via OAuth 2.0. Data is used exclusively for the purposes stated in this policy.

Data we collect:

OAuth access token (stored encrypted with AES-256-GCM)
Ad account IDs and Business Manager ID
Campaign, ad set, and ad names
Performance metrics: impressions, clicks, reach, spend, conversions, CTR, CPC, CPM
Demographic breakdowns: age, gender, region, platform, device

Data we DO NOT collect from Meta:

Ad creatives
Custom audiences
Billing data
Private messages

OAuth permissions used:

Permission	Description
ads_read	Read advertising campaign metrics and structure

For more information about how Meta handles your data, visit: https://www.facebook.com/privacy/policy/

Google Ads

We use Google Ads API to obtain data from your advertising campaigns. The user authorizes access via OAuth 2.0. We comply with Google Ads API Terms and Conditions. We do not share Google data with unauthorized third parties.

Data we collect:

OAuth access token (stored encrypted)
Ad account IDs (Customer ID)
Campaign and ad group names
Performance metrics: impressions, clicks, cost, conversions, CTR, CPC

Data we DO NOT collect from Google Ads:

Specific keywords
Audiences
Billing data

Access level: Basic Access (read-only metrics)

For more information about Google policies: https://policies.google.com/privacy

TikTok Ads

We access data from TikTok Marketing API via OAuth 2.0.

Data we collect:

OAuth access token (stored encrypted)
Ad account IDs
Campaign metrics: impressions, clicks, spend, conversions

WooCommerce

We access via REST API with credentials provided by the user. The user is responsible for configuring permissions in their store.

Data we collect:

Store URL
Consumer Key and Consumer Secret (stored encrypted)
Order data: ID, date, status, total, currency
Product data: name, SKU, price
Customer data: name, email (for sales attribution)

Data we DO NOT collect:

Payment data
Credit cards
Full addresses

Hotmart

We access via OAuth 2.0. Only transaction and digital product data. The user authorizes access from their Hotmart account.

Data we collect:

OAuth access token (stored encrypted)
Transaction data: ID, date, value, status, commission
Product data: name, price
Buyer data: name, email (for attribution)

Data we DO NOT collect:

Withdrawal financial data
Bank information

3.3 Manually Entered Data

Users can manually enter:

Products and catalogs
Manual sales (gateway, amount, date, customer)
Operational costs and budgets
Manual marketing campaigns
Business goals and objectives (OKRs)

3.4 Technical and Usage Data

We automatically collect:

IP address (for security and fraud detection)
Browser and device type
Pages visited within the platform
Action timestamps
Error logs (for debugging and service improvement)

4. Purpose of Data Processing

Below we detail how we use your data and the legal basis that justifies each use:

Data Category	Purpose	Legal Basis (GDPR)
Account data	Service provision, authentication	Contract execution
Advertising metrics	ROI analysis, reports, dashboards	Contract execution
Access tokens	Synchronization with third-party platforms	Contract execution
Sales data	Profitability calculation, attribution	Contract execution
Technical data	Security, fraud prevention	Legitimate interest
Communications	Alerts, service notifications	Contract execution
Marketing (optional)	Newsletters, product updates	Consent

5. Service Providers (Sub-processors)

We use the following service providers that may process your data on our behalf:

Provider	Service	Location	Data Processed
Supabase, Inc.	Database, Authentication	USA (AWS)	All platform data
Vercel, Inc.	Application hosting	USA (Global Edge)	HTTP requests, temporary logs
Stripe, Inc.	Payment processing	USA/Global	Billing data
PostHog	Product analytics	USA/EU	Anonymous usage events
Sentry	Error monitoring	USA	Error logs

All providers comply with SOC 2 Type II standards and/or equivalent security certifications.

6. Data Security

We implement appropriate technical and organizational measures to protect your personal data.

6.1 Technical Measures

Measure	Implementation
Encryption in transit	TLS 1.3 for all connections
Encryption at rest	AES-256-GCM for tokens and sensitive credentials
Authentication	Supabase Auth with MFA support
Row Level Security (RLS)	Each user can only access their own data
Password hashing	bcrypt with unique salt per user
Environment variables	Credentials never stored in source code
Audit	Access logs and critical changes with timestamps

6.2 Organizational Measures

Role-based access: Only authorized personnel have access to sensitive data
Training: Staff trained in security and privacy practices
Periodic reviews: Regular security audits
Incident response plan: Documented procedures for security breaches

7. Data Retention

We retain your data only for as long as necessary to fulfill the purposes described in this policy:

Data Type	Retention Period
Account data	While account is active + 30 days post-cancellation
Historical metrics	Up to 2 years (configurable by user per plan)
Access tokens	Until revocation or integration disconnection
System logs	90 days
Backups	30 days
Billing data	Per local tax requirements (5-7 years)

8. Your Privacy Rights

Depending on your location, you have the following rights over your personal data.

8.1 Rights under GDPR (European Union)

Right of Access: Request a copy of all your personal data we process.
Right to Rectification: Correct inaccurate or incomplete data.
Right to Erasure: Request complete deletion of your account and personal data.
Right to Portability: Export your data in structured format (CSV/JSON).
Right to Restriction: Limit the processing of certain data.
Right to Object: Object to processing for certain purposes.
Right to Withdraw Consent: At any time for consent-based processing.

8.2 Rights under CCPA/CPRA (California, USA)

Right to Know: What personal information we collect, use, and share.
Right to Delete: Request deletion of your personal information.
Right to Opt-Out: Of sale or sharing of personal information (we do not sell data).
Right to Non-Discrimination: For exercising your privacy rights.
Right to Correct: Inaccurate personal information.
Right to Limit: Use of sensitive personal information.

8.3 Rights under LGPD (Brazil)

Data subjects in Brazil have rights similar to GDPR, including: confirmation of processing existence, access, correction, anonymization, blocking, deletion, portability, information about sharing, and consent revocation.

8.4 Rights under LATAM Laws

Users in Mexico, Argentina, Colombia, Chile, and Peru have ARCO rights (Access, Rectification, Cancellation, and Opposition) under their respective data protection laws.

8.5 How to Exercise Your Rights

You can exercise your rights in the following ways:

From the platform: Settings → Privacy → My Data
By email: soporte@predictorix.ai
Response time: Maximum 30 calendar days

9. International Data Transfers

Your data may be transferred to the United States where our main infrastructure providers (Supabase, Vercel) are located. These transfers are made under:

Standard Contractual Clauses (SCCs) from the European Commission
Data Privacy Framework (DPF) EU-USA when applicable
Additional security measures (end-to-end encryption)

You can request additional information about the safeguards used by contacting soporte@predictorix.ai.

10. Cookies and Tracking Technologies

10.1 Essential Cookies (Always Active)

These cookies are necessary for the basic operation of the platform:

Cookie	Purpose	Duration
session	Session authentication	Session
preferences	Language, currency, timezone	1 year
ui_state	Interface state	30 days
csrf_token	CSRF security	Session

10.2 Analytics Cookies (With Consent)

We use PostHog for product analytics. These cookies help us understand how users interact with the platform to improve the experience.

10.3 What We DO NOT Use

❌ Advertising cookies
❌ Cross-site tracking
❌ Device fingerprinting
❌ Selling data to third parties for advertising

11. Minors

Predictorix AI is a B2B (Business-to-Business) service directed exclusively at companies and marketing professionals. We do not intentionally collect data from minors under 18 years of age. If we detect an account created by a minor, it will be immediately deleted along with all associated data.

If you are a parent or guardian and believe a minor has provided personal information through our platform, contact us immediately at soporte@predictorix.ai.

12. Changes to This Policy

We reserve the right to update this Privacy Policy periodically. We will notify material changes through:

✉️ Email to the address registered in your account
🔔 Visible banner on the platform
⏰ Notice at least 30 days in advance before changes take effect

Continued use of our services after the effective date of any changes constitutes your acceptance of the updated policy.

13. Revoking Integration Access

You can revoke Predictorix AI's access to your external platform accounts at any time.

13.1 Meta (Facebook/Instagram)

Visit Facebook Settings
Go to Security and login
Select Apps and websites
Find Predictorix AI
Click Remove

13.2 Google Ads

Visit myaccount.google.com
Go to Security
Select Third-party apps with account access
Find Predictorix AI
Click Remove access

13.3 From Predictorix AI

You can also disconnect integrations directly from: Settings → Integrations → [Platform] → Disconnect

14. Contact

For any inquiries related to this Privacy Policy or the processing of your personal data:

14.1 Contact Information

Channel	Detail
Privacy email	soporte@predictorix.ai
Website	predictorix.ai
Response time	Maximum 30 calendar days

14.2 Data Protection Authorities

If you believe your data protection rights have been violated, you have the right to file a complaint with the corresponding authority:

Country/Region	Authority
European Union	Data protection authority of your country of residence
Mexico	National Institute of Transparency (INAI)
Argentina	Public Information Access Agency (AAIP)
Colombia	Superintendence of Industry and Commerce (SIC)
Brazil	National Data Protection Authority (ANPD)
Chile	Transparency Council
Peru	National Personal Data Protection Authority

15. Definitions

Term	Definition
Personal Data	Any information that identifies or can identify a natural person.
Processing	Any operation performed on personal data (collection, storage, use, etc.).
Data Controller	Predictorix AI, who determines the purposes and means of processing.
Data Processor	Third parties that process data on behalf of Predictorix AI.
User	Any person who uses Predictorix AI services.
Consent	Free, specific, informed, and unambiguous manifestation of the user's will.
Sensitive Data	Data revealing racial origin, political opinions, religious beliefs, health data, sexual orientation, biometric or genetic data.

16. Additional Information by Jurisdiction

16.1 For California Residents (CCPA/CPRA)

Categories of personal information collected in the last 12 months:

Category	Examples	Collected
Identifiers	Name, email, IP	✅ Yes
Commercial information	Transaction history	✅ Yes
Internet activity	Platform browsing logs	✅ Yes
Professional information	Company name, position	✅ Yes
Inferences	Business behavior predictions	✅ Yes

We do not sell personal information. We have not sold consumer personal information in the last 12 months and have no intention to do so.

16.2 For European Union Residents

EU Representative: [To be designated if applicable based on user volume]

Legal basis for processing: See Section 4.

Additional rights: You have the right to file a complaint with your local data protection authority if you believe the processing of your personal data violates GDPR.

16.3 For Brazil Residents (LGPD)

Encarregado (DPO): soporte@predictorix.ai

Personal data is processed in accordance with the General Data Protection Law (Lei nº 13.709/2018). You have the right to request information about the processing of your data and to exercise all rights provided in article 18 of the LGPD.